Preventing user from connecting other than through VPN

SergiyK
SergiyK used Ask the Experts™
on
I have a Virtual Machine (VM) with a VPN connection. I double click the icon on the desktop to connect. After that I go out under the VPNs IP. When I am not connected I go out under my IP (Verizon DSL).

What I want is preventing the ability to go out to the internet from this VM except under VPN. That is if someone forgets to "dial in" and tries to open the IE or other application he gets an error.

"other application" = "any program accessing the Internet". ICQ, FTP client, whatever.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013

Commented:
One option:  Statically assigning the remote VPN site's local DNS server as the only DNS server, in the TCP/IP DNS properties of the connecting VM, will restrict access,s unless they try to do so by IP. If you do so, your VPN will have to connect by IP or have a manual entry in the Hosts file for the domain name to which it is connecting, since it will not be able to resolve DNS names until the VPN is connected.

Author

Commented:
I do not know what the remote site's DNS server is. How do I find out?
Top Expert 2013

Commented:
That is a good question :-)  Usually you would have some involvement in the management of the remote site an know that. Can you contact someone at that site and ask them at a command line to run   ipconfig  /all    this will return it's DNS configuration. If not let us know what type of VPN connection you have or client you are using and you may bed able to retrieve it. You may already have it on the local machine. You could run ipconfig  /all on the local machine while the VPN is connected, and check next to DNS for an IP starting with 192.168.x.x, 10.x.x.x or 172.16-31.x.x  Then make sure it is not part of your local network.
You could also try while connected to the VPN using    nslookup  RemoteDomainName.abc  if you no the domain name.

Author

Commented:
I am using a regular VPN :) I set it up like this:


New Connection ->
Connect ... at workplace -->
V.P.N. ->
Company name = *** -->
Do not dial initial connection -->
IP = **.**.***.***

Then I hit connect, enter user name and password and I am there.

Ipconfig did not really work...

C:\Documents and Settings>ipconfig
Windows IP Configuration
An internal error occurred: Incorrect function.
Please contact Microsoft Product Support Services for further help.
Additional information: Unknown media status code.

Author

Commented:
Ok, Ipconfig worked now:


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : *****.******.com
        IP Address. . . . . . . . . . . . : 192.168.*.**
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.*.*

PPP adapter Bagalya:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.*.***
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 192.168.*.***
Top Expert 2013

Commented:
You need to use:   ipconfig /all    to get the DNS servers. But it may not help. The one you want should be displayed under the PPP adapter's configuration.

Do you have a domain at your end, or might *****.******.com be the domain name at the remote end? If so try, when the VPN is connected entering;
nslookup   *****.******.com
and it should return the IP of the remote DNS server.

Author

Commented:
C:\Documents and Settings>nslookup myhome.westell.com
Server:  dslrouter
Address:  192.168.1.1

Name:    myhome.westell.com
---

This is my router's IP address...

By the way, can I set up the router for this VM so that traffic of this partricular VM can go only from one IP (VPN)?

Top Expert 2013
Commented:
>>'can I set up the router for this VM so that traffic of this partricular VM can go only from one IP (VPN)?"
Not familiar with your modem/router, but as a rule on simple units like the Westells, you can control what IP's are allowed outgoing connections, but not where they go. Where the VPN is a virtual connection I doubt you can block it in that way.

>>"Server:  dslrouter"
As mentioned, that is the router. You need the corporate DNS server's IP.
Do you know the name of any computers or servers at the corporate site, even if by checking drive mappings? If so using nslookup as suggested earlier should return the computers IP but also the IP of the DNS server that resolved the name. This of course has to be done while the VPN is connected.
nslookup  RemoteDomainName.abc  

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial